In this case, it's only getting a publicly viewable (to logged in members) page - not a "private" or "restricted use" file. Nor is it doing anything like database entry or file writing.

I guess not, but again, I thought you might consider "Member ID" to be secret like your "Bank Account #" or "Social Security #", whereas a "Username" seems less secret, that's all.

The generally accepted rule of thumb is to use GET (i.e. in URL) to "get" stuff - a page, json etc. and POST (i.e. in a form) to post (send) stuff to the server for further handling.

Well, someone told me I shouldn't be so reliant on $_SESSION because it is easier to break - especially with Tabbed Browsing. (I didn't really understand what the person meant at the time, but sine then, I have been trying to get more comfortable passing stuff from page to page via the Query String IF I think it is safe data to pass, and thus the whole point of this thread?!

Well, someone told me I shouldn't be so reliant on $_SESSION because it is easier to break - especially with Tabbed Browsing. (I didn't really understand what the person meant at timeThanks,

Debbie

it not so much from a security point of view, but from a functionality/usability point of view.

Eg say you open an edit product page and assign then product Id of the product you are editing to the session[edit_id] but before you save that, you open up an edit product page for another product in another tab (to Check something, eg stock level). Now when you go back to you other tab/window the session edit_id has been replaced with the last products I'd. If you hit save, you replace product b's details with product a. Now you have 2 product a's with different Id's.

If you was passing the product Id via post vars instead of the session, it wouldn't happen.

There are ways around this without passing everything via get/post parameters. A combination of session and post vars ensures good security/usability provided you check what is being sent via post matches what you are expecting compared wi the session.

I take the approach of using a unique form Id and storing all session vars relating to that form under that id and passing the form Id via post.